EFB Tampering 1. Introduction and Class Differences

TL;DR

• Electronic flight bags (EFBs) are devices that flight crews use to help with flight management tasks
• Different airlines use different devices e.g. iPads, netbooks, custom devices
• Some are carried on by flight crew, others are built-in to the cockpit
• Some important functions are carried out by some EFBs for some airlines,  particularly engine thrust calculations for take off (‘perf’)

Before we go in to the detail, it’s important to understand what an EFB does and how they are used:

Introduction

Electronic Flight Bags (EFBs) are becoming increasingly common to find on Flight Decks. They have been available for purchase since 2005 when the very first EFB was successfully trialled on flights from Miami. They come in all shapes and sizes – their functions vary significantly depending on the device used, the software installed, specific airline procedures and aircraft type specific procedures.

Common devices include Apple iPads, Surface Pro tablets, Windows / Linux based laptop computers and custom made devices developed specifically to be used as EFBs. Common functions include calculation of critical data used by the pilots (e.g. takeoff thrust setting) and the storage / display of navigation charts and manuals to the pilots.

The benefits of using EFBs are well documented – one benefit which stands out in particular is fuel saving. By removing heavy paper manuals from the flight deck (as they can now be viewed on an EFB) the weight saving is estimated to be anywhere up to 100kg per flight. The cost saving as a result of the reduced fuel burn due to lighter aircraft weight is estimated in the large airlines to be in the region of several million dollars every year.

This blog series demonstrates some potential consequences of the manipulation of data by a malicious hacker – and just how important the testing and assessment of EFB security is. It is important to consider however that airlines and aircraft can vary significantly in their Standard Operating Procedures (SOPs). Some airlines / aircraft will have multiple cross-checks to prevent some of the errors discussed in this blog series. Some airlines / aircraft don’t use cross-checks. The items discussed are not intended as an exhaustive list but highlight some of the possible outcomes as a result of EFB tampering.

The Garbage In Garbage Out concept is well understood by pilots and is considered to be the main threat when using applications on EFBs – the concept that the actual application could be faulty is almost inconceivable. In particular with regards to aircraft performance applications pilots spend hours rehearsing and practising methods for ensuring entries are correct.

What they don’t consider is what if the application is not applying the correct formula for the mathematical calculations being performed – or alternatively what if the output the pilot sees is not the output the application calculated.

Another consideration is James Reasons’ Swiss Cheese Model of Accident Causation. This likens an organisations defences to a series of slices of randomly-holed Swiss Cheese.

Data manipulation

Manipulation of data not only helps to align the holes of the swiss cheese – in some of the situations discussed in this blog series there are few layers of “cheese” there to prevent an incident / accident occurring.

Many of the targets that discussed in this series have both direct and indirect tampering / manipulation methods.

Direct manipulation: The direct and intentional modification of a target to produce a different output / function to that which is expected or intended.

Indirect manipulation: Manipulation of a target by the modification of a different target which consequentially changes the output / function of another target.

Calculators can’t be faulty, right?

Class differences

Previously there were multiple methods for categorising EFBs, the most common method using the Class 1 / 2 / 3 system. Through 2016 and 2017 these methods were harmonized under ICAO resulting in two classes of EFB, Installed and Portable.

If EFB equipment supporting EFB applications is incorporated into aircraft type design (or as an official alteration), it is classed as Installed. If however EFB equipment is not part of the aircraft type design (nor is it an official alteration) then it is classed as Portable – regardless of how often it is removed from the aircraft. Portable EFBs are considered to be portable electronic devices (PEDs).

Within both classes, there is a great variety of hardware and software being used. Operating systems can be either standard systems (e.g. Windows or Linux) or custom-written operating systems. For example Austrian Airlines and Lufthansa use the Surface Pro 3 tablet whereas American Airlines and Delta Airlines use Apple iPads.

Installed EFB: Can carry Type A and B applications
Incorporated into the aircraft type design (or as an official alteration). Subject to normal airworthiness requirements and under design control. Approval is included in the aircraft’s type certificate or in a supplemental type certificate. Software may need to be partitioned so that non-certified applications do not interfere with certified avionics functions.

Image: Installed EFB

Portable EFB: Can carry Type A and B applications

• Not part of the aircraft type design (nor an official alteration). These devices are considered PEDs. Generally have self-contained power and may rely on data connectivity to achieve full functionality.
• The term “portable” does not mean the device is regularly removed from the aircraft. In some cases, it’s permanently fixed to the aircraft.

Applications explained

There are 3 Application Types: A, B and C.

Type A:

• Have a failure condition classification considered to be no safety effect
• Do not substitute for or replace any paper, system or equipment required by regulations
• Do not require specific authorisation for use

Examples include:

Minimum equipment lists Configuration Deviation Lists Chart Supplements Aircraft parts manuals Pilot flight and duty-time logs
Captain’s Report Trip scheduling Antiterrorism profile data Hazardous materials tables Airline Policy & Procedures Manuals

Minimum equipment lists	Configuration Deviation Lists	Chart Supplements	Aircraft parts manuals	Pilot flight and duty-time logs
Captain’s Report	Trip scheduling	Antiterrorism profile data	Hazardous materials tables	Airline Policy & Procedures Manuals

Type B:

• Have a failure condition classification considered minor
• May substitute or replace paper products of information required for dispatch
• May not substitute for or replace any installed equipment required by regulations
• Require specific authorization for operational use

Examples include:

Manuals including SOPs, Aircraft Flight, Maintenance, Flight Operations etc. Master Flight Plan Power Settings for Reduced Thrust Settings Runway Limiting Performance Calculations Company Standard Operating Procedures
Operating Information Manuals (Weight & Balance / Limitations etc) Weight & Balance Calculations Flight Planning Software Aeronautical Charts (e.g. Departure / Approach) Non-interactive Electronic Checklists

Manuals including SOPs, Aircraft Flight, Maintenance, Flight Operations etc.	Master Flight Plan	Power Settings for Reduced Thrust Settings	Runway Limiting Performance Calculations	Company Standard Operating Procedures
Operating Information Manuals (Weight & Balance / Limitations etc)	Weight & Balance Calculations	Flight Planning Software	Aeronautical Charts (e.g. Departure / Approach)	Non-interactive Electronic Checklists

Type C:

Not considered potential EFB applications. Policy is that any non-Type A or non-Type B application should undergo a full airworthiness approval and thus become a certified avionics function. These can be used as a multi-function display (MFD) and can incorporate other functions such as depicting weather radar / navigation information.

Airlines decide what documentation / processes they want to put on EFBs. This varies from airline to airline and within companies varies significantly between each aircraft type. For example one airline uses the Boeing Electronic Logbook on their longhaul fleet but still use paper technical and cabin logs on their shorthaul fleet.

Many airlines order aircraft from the manufacturer but without the manufacturer installed EFB and instead use their own software on other devices (Apple iPads being a common device).

Connectivity between the EFB and the aircraft varies with many portable EFBs not requiring any connection for their designed functions – even the power source is often from a battery pack rather than from the aircraft power supply. EFBs towards the more advanced end of the scale will need a connection to the aircraft.

In the A350 case each pilot has a docking station they can connect their company / personal laptop to. This enables them to use the aircraft fitted keyboard and touchscreens, and it displays the company / personal laptop on the outer screen in front of the pilots. The outer screens are called the Onboard Information System (OIS) and are designed to display EFB applications from stowed laptops.

Image: OIS EFB Display

EFB Functions

These are just a  few examples;

• Electronic checklists: Normal, abnormal and emergency checklists
• Flight briefing / planning: Flight plan storage, completion, modification, and submission
• Maintenance: Discrepancy signoff logs
• Mass & balance calculations: Positioning/distribution of cargo, fuel, and passengers
• Performance calculations: Takeoff, enroute, landing, go-around and emergency performance calculations
• Reporting: Internal safety reporting
• Rostering: Flight/duty time records
• Weather: Airfield and en-route live weather viewing

EFBs and engine performance calculation (‘perf’)

Running airplane engines at high power causes extra engine wear. This can significantly increase maintenance cost and also uses more fuel than necessary.

If the takeoff runway is long enough and other factors (air temperature, weight, wind direction, altitude, obstacle clearance  etc) are favourable, it’s not necessary to run the engines at full power to take off safely.

This is achieved in one of two ways: either to ‘de-rate’ the engine by electronically limiting it, or to input different temperature data, causing the engine to produce less thrust. The latter is known as ‘flexible temperature’ or FLEX and will be marked as FLX on the throttles of many Airbus craft:

Producing less thrust is advantageous for engine maintenance, but clearly results in a longer ground roll, slower acceleration and a reduced rate of climb. The thrust calculations are made by the pilots, entered in to the flight management system and cross checked. Historic errors in the calculations have caused incidents, so electronic aids are increasingly employed, usually an electronic flight bag.

Data that contributes to the calculations includes the runway length. This is typically contained in a database in the EFB

It doesn’t take much to realise that incorrect data can cause very serious issues. There are a few reported incidents per year where pilots have calculated incorrect thrust levels. In nearly all cases, the plane takes off very late on the runway, often clearing obstacles by very small margins or resulting in a damaging tail strike. In some cases, crashes have occurred as the airplane overran the runway.

Examples:

A321, 24/11/2019 – flex temp of 79C keyed instead of 49C, a result of distraction during checks. Airplane lifted off ~400m from end of runway

A319, 29/11/2019 – wrong runway intersection entered, artificially increasing available runway for perf calcs, both pilots made the same error. Airplane lifted off ~300m later than intended.

In most cases, highly-trained crews recognise the lack of performance and apply increased thrust (‘TOGA’) . It doesn’t always end this well though:

Here’s a Royal Maroc 737 flight that very nearly went badly wrong for similar reasons: https://www.youtube.com/watch?v=Kle80KB_s3I

Watch as the pilot rotates too early with insufficient thrust, settles back on to the runway and nearly strikes the tail

Qatar Airways 777, 15/11/2015 – again misreading information and taking the wrong runway intersection. Airplane struck approach lights, tearing an 18 inch gash in the fuselage

MK Airlines 747, 14/10/2004 – crew fatigue may have resulted in incorrect weight data being entered in the EFB. Sadly, the airplane crashed shortly after take off with the loss of the crew.

Electronic flight bags are therefore an increasingly important part of airplane reliability, safety and efficiency.

What’s next?

There are currently four posts in this series on EFB security:

• EFB Tampering 1. Introduction and Class Differences
• EFB Tampering 2. Device Integrity
• EFB Tampering 3. Take-off part one
• EFB Tampering 3. Take-off part two

Related: EFB Safety Advice for Pilots